Use > Hardening > Lightweight Single Sign-On (LW-SSO) Authentication > LW-SSO Authentication Best Practice

LW-SSO Authentication Best Practice

This section provides guidance for increasing the security of product integrations using the previously described LW-SSO features of UCMDB. This includes network configuration details regarding implementation of sub-domains and information regarding cookie security specific to LW-SSO.

  1. Ensure that the UCMDB server components and the integrated product server components (for example, Release Control, Service Manager) are deployed within appropriate sub-domains. For example, if the UCMDB server is currently named ucmdb.mycompany.com, implement a sub-domain with a name of your choice under the mycompany domain and deploy UCMDB within the new sub-domain.

    In this example, the new sub-domain is named after the region where the server resides: americas. Thus the resulting fully qualified domain name of the server would be: ucmdb.americas.mycompany.com.

    Repeat this process for each integrated product in your deployment. For example, releasecontrol.americas.mycompany.com, sm.americas.mycompany.com.

  2. Once the above is completed, change the LW-SSO configuration for UCMDB and the integrated products to point to the new sub-domain.

    To do so,

    1. Go to jmx-console > LS-SSO Configuration > setDomain.
    2. Enter your domain americas.mycompany.com (in the above example).
    3. Click Invoke.

    Note It is necessary to change the LW-SSO configuration files of the integrated product(s) for the LW-SSO features to function properly. For information about changing the LW-SSO configuration for the integrated products, refer to that product’s installation and configuration documentation.

  3. To further protect the LW-SSO session cookie, it is recommended to change the value of the parameter expirationPeriod.

    To do so,

    1. Go to jmx-console > LW-SSO Configuration > setCookieExpirationPerioad.
    2. Enter value 8.

    3. Click Invoke.